You have access to this content through your organization’s enterprise subscription to the Aviation Week Intelligence Network (AWIN). Would you like to go there now? Your choice will be remembered until you close your browser.

VoIP Coming To Air Traffic Control

When heavy rains in October 2015 flooded the radar room of the Austin-Bergstrom International Airport’s air traffic control tower and terminal radar approach control center, knocking out crucial voice and radar feeds, it took FAA technicians several days to transfer those feeds to the backup location. In the interim, even a satellite communications link failed to provide relief due to severe weather and heavy rainfall.
A year earlier, the same was true in Chicago when a ...

SUBSCRIBE TO ACCESS THIS ARTICLE

"VoIP Coming To Air Traffic Control" is part of Aviation Week & Space Technology’s subscription package.

Subscribe now to read this full article. And by subscribing, you'll also receive full coverage of what's next in technology from the experts trusted by the global aerospace & defense community.

This article gives two examples of system outages. One by natural disaster, the other sabotage.

Each brought down a portion of the ATC system.

Are they sound reason to expose our entire ATC system to malicious attack or collateral exposure to some other internet malice 24/7?

Consider the typical VoIP vulnerabilities:
1. Insufficient verification of data: In VoIP implementations, this may allow man-in the-middle attacks.
2. Execution flaws: database vulnerabilities are a weak point
3. String/array/pointer manipulation flaws: Malformed packets with unexpected structures and content can exist in any protocol messages. This allow great exploits like buffer-overflow attacks and other boundary-value conditions
4. Low bandwidth: Nothing like a Distributed Denial of Service attack. The the whole world dialing your number at the same time
5. Low resources: Especially in embedded devices. May enable VoIP shutdown in embedded devices
6. File/resource manipulation flaws: Typical implementation mistakes like programming errors created by insecure programming constructs
7. Password management. First try admin, then password, then 12345 . . Better yet try Social Engineering
8. Permissions and privileges: Root around why don’t you?
9. Authentication and certificate errors: Nothing like having an attacker spoof registration messages and reregister himself as a valid user
10. Homogeneous network: Where a network has a wide dependence on a limited number of vendors and devices. If an entire network depends on one brand of device, proxy or firewall, one automated attack such as a trojan virus or worm can shut down the whole network.

"The hacking of the National Security Agency (NSA) security tools by the Shadow Brokers raises some serious questions about what information the NSA should be releasing, according to eweek.com.

The balance between the NSA’s need to protect its hacking capabilities and the need to protect U.S. computers has to be addressed in light of the recent breach, several security observors have noted. The NSA did not notify the software vendors of the recent Shadow Brokers hacking.

The Shadow Brokers announced on Twitter on Aug. 13 they would auction off cyber-espionage tools taken from the Equation Group, which is widely considered part of the U.S. National Security Agency (NSA)."

Is it just possible that the FAA has chosen to use one or more of the government's isolated web technology networks forcing any hacker to gain physical access? All of the current comm facilities are vulnerable to the kind of insider attacks that require physical access, they just take too much time to reconfigure in the event of intentional or accidental damage. A VOIP based system on an isolated net can be reconfigured in a heartbeat. Isn't that better than waiting hours for paths to be reconfigured?

Concerns about VOIP security are un-founded, really. My firm has been selling and managing VOIP services for companies for over 3 years, and we've never had an account hacked or system go down for a prolonged period of time. VOIP security boils down to good configuration, strong passwords, properly configured firewall, and a solid backup protocol. Visit PennTelco.com for more information.

The technology available to the hackers of this era and the cleverness of its users is such that it is doubtful whether you or your venerable IT staff would even know whether your VOIP client accounts have been hacked unless the hacker took the system down or, short of that, prevented specific connections from being made or added sound content to the message stream that made it obvious that something was awry. The hacker's presence could, but not necessarily would, become obvious at that point, but why reveal yourself if listening to message traffic from and to a particular client is your real goal?

Internet is an open system (by design, dating back to the days of Darpa net), and as such never secure. It is just a game of cat and mouse (creating great business for several companies), but you cannot change its fundamentals. You might want to use voip as a backup, but as a primary system you might some day end up with an awful lot of aircraft in the air .. and no more communication. Good luck explaining the results (probably significant loss of life) to the public.

Newsletter Signup

By clicking below, I acknowledge and agree to Penton's Terms of Service
and to Penton's use of my contact information to communicate with me about Penton's or its third-party
partners' products, services, events and research opportunities. Penton's use of the information I
provide will be consistent with Penton's Privacy Policy.

I acknowledge and agree to Penton's Terms of Service and to Penton's
use of my contact information to communicate with me about offerings by
Penton, its brands, affiliates and/or third-party partners, consistent
with Penton's Privacy Policy.*